Beyond Chase: 9 More Banks Breached?

The hackers who successfully infiltrated the network of banking giant JPMorgan Chase have also breached the networks of approximately nine other financial institutions, none of which has been publicly named, according to an Oct. 3 New York Times report. The report quotes unnamed U.S. officials, who suspect the overseas attacks were launched by a Russian-based group that is believed to have ties to the Russian government.

Beyond that suspicion, however, investigators reportedly still don't understand the rationale behind the attacks. "It could be mixed motives - to steal if they can, or to sell whatever information they could glean," an unnamed official tells the Times. Likewise, "it could be in retaliation for the sanctions" being imposed on Russia over its actions in the Ukraine.

Chase believes that the network intrusion began in June, but wasn't detected by the bank's security team until late July, by which point hackers had "obtained the highest level of administrative privilege to dozens of the bank's computer servers," the Times reports. It adds that it's only in recent days that Chase has begun to understand the full extent of the breach.

Chase Investigation Continues

The breach at Chase wasn't fully contained until the middle of August, the Times reports, adding that the bank has been working with multiple U.S. government agencies - including the Treasury Department, Secret Service, and multiple intelligence agencies - to investigate the intrusion.

What's notable, however, is that the attackers don't appear to have stolen financial information, such as bank account numbers. "We have not seen unusual fraud activity related to this incident," Chase says in a statement.

While attackers did obtain contact information from everyone who recently logged into Chase's website or mobile applications - including their names, addresses, phone numbers and e-mail addresses - that information wouldn't be good for much more than launching relatively targeted spear phishing attacks.

"There is no evidence that financial data such as account numbers, passwords, user IDs, dates of birth or Social Security numbers were accessed, acquired or compromised," Chase says in a breach FAQ.

"We uncovered an attack by an outside adversary recently where the firm's technology environment was compromised," Kristin Lemkau, a JPMorgan Chase spokesperson, has told the Times. "We are confident we have closed any known access points and prevented any future access in the same way."

But as Bloomberg notes, if attackers were smart enough to compromise Chase's network, they may also have been good enough to leave backdoors into Chase's network that have yet to be detected.

Beware Russian Attribution

To date, attackers' identity and motives reportedly still aren't clear, and some U.S. officials have warned against jumping to conclusions. "We've been wrong before," an unnamed official with knowledge of the Chase investigation told the Times.

That view has been echoed by multiple information security experts. "[It's] very dangerous to start attributing blame too soon," says cybersecurity expert Alan Woodward, who's a visiting professor at the department of computing at Britain's University of Surrey. "It is extremely difficult to track down these attacks and simplistic data such as IP addresses are fraught with the risk of false attribution."

In fact, advanced hackers will go out of their way to not just disguise the origins of the attack, but attempt to deflect the blame. "It is a well-known tactic of criminals or cyber spies to mount false-flag operations so that investigators start chasing spurious leads," says Woodward, who's also a cybersecurity adviser to Europol's European Cybercrime Center. "We do need to be very careful about criminals hiding behind country boundaries and it is for this reason that so much effort is going into international, cross-border collaboration, including [with] countries such as Russia, so that criminals cannot hide in one country and attack another."

Complex IT Environment

Regardless of whether a Russian gang was involved in the Chase breach, because cybercriminals aim to steal money, banks are - and will remain - a top target. "The biggest ones are often the biggest targets," John Pescatore, director of research for the SANS Institute, tells Information Security Media Group. "They've also got a more complex IT environment, lots of business partners, third-party suppliers," he says, meaning that there are many potential ways an attacker might breach a bank's network.

"Bigger isn't always better, from a security perspective," he says.

Many financial services firms also continue to rely on a large amount of legacy IT infrastructure. "Some of the legacy systems in use in banking were never intended to be networked in the way they are now," the University of Surrey's Woodward says. "However, that does mean that often, whole new systems have been built to act as an interface - and in so doing, one hopes that suitable security has been included."

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;